Hospitals Move to Tighten Data Security

Mayo Clinic has fired an employee at a business center in Arizona because they accessed nearly 2,000 patient medical and financial records over a four-year period—just to take a peek, the Post-Bulletin of Rochester, MN, reports.

The employee accessed an estimated 1,700 patient records, Mayo spokesman Chris Gade told the Post-Bulletin. The employee's access rights covered all Mayo Clinic patient records at all Mayo sites.

Officials discovered the breach in mid-July. They did not release the name of the healthcare worker.

"This activity took place between 2006 and 2010. An internal investigation was immediately launched. Following a thorough review of the facts, the person was fired," Mayo said in a statement.

This isn't the first hospital to deal with a worker snooping at patient records.

Kaiser Permanente Bellflower Hospital in Los Angeles in May 2009 was assessed a $250,000 fine because 23 employees at a number of Kaiser facilities with access to electronic medical records unlawfully breached the privacy of a patient who gave birth to octuplets earlier in the year.

Snooping landed another in jail earlier this year. United States Magistrate Judge Andrew J. Wistrich sentenced a former UCLA Healthcare System employee who admitted snooping at patients' records to four months in prison April 27, according to the U.S. Attorney's Office in the Central District of California.

Huping Zhou, 47, of Los Angeles, admitted to illegally reading private and confidential medical records, mostly from celebrities and other high-profile patients, the federal California attorney's office said in a release.

Wistrich condemned Zhou for his lack of respect for patient privacy, according to the release.

Zhou was the first person in the nation to be convicted and incarcerated for misdemeanor HIPAA offenses for merely accessing confidential records without a valid reason or authorization, according to the attorney's office.

Zhou in January of this year pleaded guilty to four misdemeanor counts of violating the HIPAA Privacy Rule. He is a licensed cardiothoracic surgeon in China who was employed in 2003 at UCLA Healthcare System as a researcher with the UCLA School of Medicine.

Worried about snoopers at your facility? Some facilities use "honeypots" as bait to catch snooping staff members who are in violation of HIPAA. "Honeypots," also referred to as "honeynuts," are fictitious medical records that IT monitors to determine if anyone is accessing them.

The terms honeypots and honeynuts derive from the notion that if you want to catch birds, you scatter birdseed.

Use these tips regarding honeypots to catch snoopers and respond accordingly:

• Gain executive sponsorship. "Using a honeypot implicitly communicates we don't trust our staff, even though we know that insider snooping is by far the most common cause of privacy or security breaches," John R. Christiansen, founder of Christiansen IT Law in Seattle, says. You need to have executive sponsorship willing to back you in the event that the use of honeypots results in controversy.

• Get HR buy-in. HR must be looped in to ensure that it will take appropriate action if you catch someone accessing records inappropriately, Christiansen says, adding that "legal counsel should vet the whole program to make sure legal risks are avoided."

• Conduct a risk assessment of your systems and equipment. Then create records for five media-centric personalities, making them as real as possible. Don't be too obvious. For instance, Madonna would probably not end up in a central Montana facility.

• Beware of entrapment. Honeypots are analogous to entrapment; they're bait that wouldn't work if someone wasn't predisposed to snooping, Christiansen says, because, as W.C. Fields said, "You can't cheat an honest man." Organizations should be certain that staff members know about policies that prohibit snooping and that system configuration prevents accidental access, says Christiansen.